How to Go from Adopting a BC Standard to Knowing What to Do to Comply with It
I live in Arizona which is of course the Grand Canyon State. And if you’ve ever stood on the South Rim of the Grand Canyon and looked across at the North Rim, you will definitely know the meaning of the expression, “So close but yet so far.”
This situation is actually similar to one that people often encounter in business continuity.
If you have read my ebook 10 Keys to a Peak-Performing Business Continuity Program, you will know that I believe every organization should adopt a BC standard and strive to bring their program into compliance with it. (For a quick refresher on business continuity standards, see our blog Standard Time: The Best Time to Choose a Business Continuity Standard Is Right Now.)
But often when I give this advice, I feel as if I have done the equivalent of transporting my reader to the South Rim then dropping them off and saying, “Now all you have to do is get to the North Rim. It’s right there, so I’m sure you’ll have no problem reaching it. Anybody can do it, it’s a piece of cake.”
Of course, it isn’t really a piece of cake getting from the South Rim to the North Rim, unless you’re a bird.
And it isn’t a piece of cake going from having adopted a BC standard to actually understanding how your organization stacks up against the standard and pinpointing what you need to do to boost your compliance with it.
On the one hand, you have a bundle of written guidelines and requirements, and on the other, you have your organization’s real-life situation, in all its complexity and hidden details, in terms of the different departments and their different needs and levels of readiness in terms of business continuity.
Crossing the Gap
So how do you cross the gap between one and the other? How do you measure your organization against the standard and figure out where you are and what exactly you need to do to raise your compliance?
It’s not an easy problem.
And as anyone who’s ever looked at them knows, standards don’t have scoring. There’s no easy way to look at them and gauge how you stack up, much less what you need to do to improve.
Solving this problem is the purpose of the various kinds of commercially available business continuity software products that are out there.
This includes our BCMMETRICSTM product Compliance Confidence (C2).
With all that in mind, I thought it might be helpful in today’s post to provide a short overview of the tool.
Compliance Confidence
Compliance Confidence is a bridge that gets you from having the standard in your hand and paging through it in a state of confusion and anxiety to knowing precisely where your organization stands with regard to the standard and knowing what you need to do to strengthen your BCM program.
Here’s a quick description of how it works.
When using Compliance Confidence, one of the first screens you come to is one with a drop-down menu asking you to specify which BC standard or standards you would like to measure your program against. (For guidance on choosing a standard for your program, see this recent blog post.)
Once you choose a standard, the tool leads you screen by screen through a series of questions which are pertinent to the standard you choose and which are divided into the following sections:
- Program Administration
- Crisis Management
- Business Recovery
- IT Disaster Recovery
- Supply Chain Risk Management
- Fire and Life Safety
- Third Party Management
For each section, we suggest that you identify the people at your organization who are best qualified to provide information about each area then meet with them and go through the relevant sections of Compliance Confidence, filling out the fields collaboratively. There are even places in the tool to attach supporting evidentiary documentation, making it easy to keep your information together, as well as a detailed document you can download that maps each question to which part of the standard it relates to.
Many people who use Compliance Confidence accomplish this process for their whole BCM program in around five to seven days.
Scoring
At the end of the process, Compliance Confidence gives you a score of between 0 and 100 for each area, indicating the extent of your compliance with your chosen standard for that area.
Note that your score is not merely an average. Compliance Confidence weights some areas more than others. For example, recovery strategies and plans are given more weight than administration.
The weighting is built into the tool and reflects my judgments regarding what has the greatest bearing on whether a program can actually recover the business in the event of a disruption. These determinations were made based on my 25 years of experience in the field and in consultation with a focus group of other BC experts.
Here’s a (very) rough breakdown of the meaning of the different numbers:
- 0-60: Not compliant. You have your work cut out for you.
- 60-80: Moderately compliant. You’re well on your way.
- 80-100: Very compliant. You might have a few tweaks to make but, basically, keep up the good work.
I think of the scoring as being similar to a FICO score. Just as the FICO score tells you at a glance the state of your credit, your Compliance Confidence score quickly tells you how healthy your business continuity program is.
Once You Have Your Scores
So, what can you do once you have your scores? Here are a few things:
- Use them to create a roadmap of what you should do next to boost your compliance in different areas or overall.
- See what changes will give you the most bang for your buck in terms of bringing up your score.
- Make nuanced decisions about what to accept and what to change. (For example, based on your organization’s mission and priorities, you might decide you’re okay with a score of 75 in one area but commit to raising another area from 80 to 90.)
- Use your results to guide and explain your budget requests.
Compliance Confidence is not the only BC tool out there, but if your organization is the market for BC software, I think you’ll find it well worth checking out.
What can Compliance Confidence do for you?
Our BCMMETRICSTM Compliance Confidence (C2) tool can help you get across the canyon which separates simply having adopted a BC standard from knowing how you stack up against it and what you need to do to boost your compliance with it.
Michael Herrera
Michael Herrera is the Chief Executive Officer (CEO) of MHA. In his role, Michael provides global leadership to the entire set of industry practices and horizontal capabilities within MHA. Under his leadership, MHA has become a leading provider of Business Continuity and Disaster Recovery services to organizations on a global level. He is also the founder of BCMMETRICS, a leading cloud based tool designed to assess business continuity compliance and residual risk. Michael is a well-known and sought after speaker on Business Continuity issues at local and national contingency planner chapter meetings and conferences. Prior to founding MHA, he was a Regional VP for Bank of America, where he was responsible for Business Continuity across the southwest region.
